If you want to find the best WordPress security plugin to protect your new (or old) and shiny (or less shiny) site
you’re in the right place. This post contains an in-depth comparison of most popular and strongest (in terms of
features) plugins available.
Since we have intro text and post highlights ready let’s get into the features used in comparison
Description of features used in plugins comparison.
If you click on the name of the feature you’ll move to that feature in plugins comparison table, if you then click on the feature name in that table you’ll get back to it’s description. Below checks may help you as well if you’re experiencing any WordPress security issues.
If plugin provides automatic security scans, for: > core WordPress file changes, > plugins, themes and other filesystem changes > permissions (are we not 777’in all over the place, its bad practice if you dont’t get it :D)
Automatic malware scans – rare because they’re not easy, usually available in premium/paid version of plugin. Malware scans are one tricky pony to ride, you can scan files for typical functions used in ones, changes on file system and of course signatures (that usually comes with price tag attached). Sometimes it requires extra server resources or access so it’s understandable.
Important in blocking many type of attacks, i.e. remote code execution or parameter, SQL, XSS and other type of injections. Imagine someone trying to use remote code that good old contact form to inject his malware into your WordPress… and if plugin doesn’t validate form fields then web firewall might just do the job.
Can you lock down the login page or disallow users to login (apart of ones that were whitelisted). Are you worried that one of your 500 regular user accounts was used to use one of these authenticated injection bugs? This feature will help you to stop anyone apart of you from logging in to your site, now you can clean up.
Does plugin offers protection against brute-force attacks. It is what it sounds like, multiple attempts using dictionary or just rule based attack. I’ll drop in here as well protection against any scripts or bots that tries to scrape your content or simply hit your websites 500 per minute.
Does it allow for creating and restoring your WordPress’s database. A critical feature I’d say, especially in doom scenario where your site gets infected with that new ransomware and it ends up demanding $1000 in Bitcoin for handing you over decoded version. Not funny if that’s your 300 posts from last couple of years. In typical conditions backing up often is great habit and if you still don’t have, well… now is the time.
Sanity check on file and folder permissions. Can someone see all your plugins just by going to address_com/wp-content/plugins? Are the theme and WordPress files writable? the ones that shouldn’t be? This plugin feature will help you to check your WordPress even without admin skills 🙂
Prevent code execution in uploads folder and other locations… so if someones upload php script as image file and that really “great” plugin won’t detect it. And then someone will run that file as a script and do evil things to your site or server. Lovely feature, one of must haves on my list!
Detects changes in files and folders of your installation. Simple and effective way to detect changes done by any malware or virus, especially not very advanced ones (which in case of ill-configured server) can modify system files and redirect modify your site on fly. But generally this is another top feature on my list. Great for detecting new malware that doesn’t yet have signatures used in scanners.
Rest API allow other applications (and sometimes plugins) to communicate with your WP. Some applications like desktop software posters or even other WordPress plugins might use it. If you don’t switch it off, test your site and all forms after.
If plugin helps in preventing making/checking if certain usernames are registered. If attacked is able to get a list of usernames by hitting /author?= or similar public WordPress end-points it will be much easier for him to run brute force attack afterwards.
Great all rounder, got some of most the important security features which are detecting changes in my files and directories and database backup options. On top of that it has manual scan options, honeypot (useful for detecting bot users), anti-frame and even copy-text protection. Extremely rich set of features even if it is free version.
the dashboard and the system info parts a lot, loads of useful information.
custom rules for firewall
hide/redirect login page feature
manual file change scan available
got database backup and db rename functions (useful against some sql injection attacks)
free automated file change detection scan with customs scheduler and ignore files/dirs option
Might be good choice if the amount of options in previous plugin terrifies you. It has less features and for might taste is not configurable enough, it might be then good choice of your not very tech user. The basic scan failed due to certificate issues so that means there’s no internal scan, a bit of a minus.
away mode which blocks access to WordPress dashboard for a period of time
Great security plugin, nice indicators with basic file system permissions checks. Has traffic inspector with live preview in free version. Great blocking options on web firewall and easy diagnostics. Scans for file system changes and other oddities.
Simplistic (view) plugin with clean dashboard and some great futures. It has site integrity checker and two kinds of scans. Has quarantine system for “evil” files. I believe it could be used as a complementary security plugin along with one of above hard hitters.
good amount of anti-bot and locking features
disabling php upload, executions and showing errors